osx - Packet filter syntax and loopback -

i have tun adapter (os x) looks this:

tun11: flags=8851<up,pointopoint,running,simplex,multicast> mtu 1500     inet 10.12.0.2 --> 10.12.0.1 netmask 0xff000000      open (pid 4004) 

i send udp packet it:

echo "lol" | nc -4u 10.12.0.1 8000 

and able see tcpdump:

➜  build git:(master) ✗ sudo tcpdump -i tun11 -vv tcpdump: listening on tun11, link-type null (bsd loopback), capture     size 262144 bytes 14:39:16.669055 ip (tos 0x0, ttl 64, id 21714, offset 0, flags     [none], proto udp (17), length 32)     10.12.0.2.55707 > 10.12.0.1.irdmi: [udp sum ok] udp, length 4 

however not see when use capture filter:

➜  build git:(master) ✗ sudo tcpdump -i tun11 udp -vv tcpdump: listening on tun11, link-type null (bsd loopback), capture size 262144 bytes 

same syntax works fine ethernet adapter:

➜  build git:(master) ✗ sudo tcpdump -i en0 udp -vv tcpdump: listening on en0, link-type en10mb (ethernet), capture size 262144 bytes 14:42:15.010329 ip (tos 0x0, ttl 128, id 7539, offset 0, flags [none], proto udp (17), length 291)     xxxx.54915 > 10.64.3.255.54915: [udp sum ok] udp, length 263 

i checked man pcap-filter , found interesting sentence related capture filters:

note primitive not chase protocol header chain. 

is related problem? anyway, why capture filters (at least protocol part) not work loopback adapters , there way make them work?

addition

interesting, works tun device created openvpn. not understand difference.

tun11: flags=8851<up,pointopoint,running,simplex,multicast> mtu 1500     inet 10.12.0.2 --> 10.12.0.1 netmask 0xff000000      open (pid 5792) utun0: flags=8051<up,pointopoint,running,multicast> mtu 1500     inet 198.18.1.214 --> 198.18.1.213 netmask 0xffffffff      inet6 xxxx%utun0 prefixlen 64 optimistic scopeid 0xa      inet6 xxxx::1074 prefixlen 64 tentative      nd6 options=1<performnud>